Overview
- System affected: PHKP
- Software-Version: including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b
- User-Interaction: Not required
- Impact: Remote-Code-Execution
- CVE: CVE-2018-1000885
Detailed Description
According to the project-page “PHKP is an implementation of the OpenPGP HTTP Keyserver Protocol (HKP) in PHP”. Due to unsanitized query parameters in the /pks/lookup-call any shell-command can be injected and executed remotely.
In line 106 of phkp.php the search-parameter “/pks/lookup&op=index” is assigned without any checks and in line 107 this variable will be used as a parameter of exec():
$search = $vars['search'];
$pgp_result = pgp_exec("--list-public-keys --list-keys $search", $output);
It is possible to inject any shell commands using the search-parameter:
curl http://localhost:8008/pks/lookup?op=index&search=js@example.com; id
In line 116 and 117 the same problem occurs again for the “/pks/lookup&op=get”-call. That means that the remote-code-execution occurs in two places.
Proof-Of-Concept
A ordinary lookup coud be the following:
By injecting shell commands to the search-parameter, it is possible to execute any command:
Mitigation
Currently there is no fix for this bug. The author was informed on Jul 18 2018. A solution for this problem might be the escapeshellcmd()-function.
Credits
The remote-code-execution bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp)